<!doctype html>
<html lang="en" data-color-mode="dark">
<head>
<meta charset="utf-8">
<title>iptables 备忘清单
 &#x26;  iptables cheatsheet &#x26;  Quick Reference</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta description="iptables 备忘清单
====

iptables 是一个配置 Linux 内核防火墙的命令行工具，是 netfilter 项目的一部分。这个快速参考备忘单显示了它的常用命令使用清单

入门，为开发人员分享快速参考备忘单。">
<meta keywords="iptables,reference,Quick,Reference,cheatsheet,cheat,sheet">
<link rel="icon" href="data:image/svg+xml,%3Csvg%20viewBox%3D%220%200%2024%2024%22%20fill%3D%22none%22%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20height%3D%221em%22%20width%3D%221em%22%3E%20%3Cpath%20d%3D%22m21.66%2010.44-.98%204.18c-.84%203.61-2.5%205.07-5.62%204.77-.5-.04-1.04-.13-1.62-.27l-1.68-.4c-4.17-.99-5.46-3.05-4.48-7.23l.98-4.19c.2-.85.44-1.59.74-2.2%201.17-2.42%203.16-3.07%206.5-2.28l1.67.39c4.19.98%205.47%203.05%204.49%207.23Z%22%20fill%3D%22%23c9d1d9%22%2F%3E%20%3Cpath%20d%3D%22M15.06%2019.39c-.62.42-1.4.77-2.35%201.08l-1.58.52c-3.97%201.28-6.06.21-7.35-3.76L2.5%2013.28c-1.28-3.97-.22-6.07%203.75-7.35l1.58-.52c.41-.13.8-.24%201.17-.31-.3.61-.54%201.35-.74%202.2l-.98%204.19c-.98%204.18.31%206.24%204.48%207.23l1.68.4c.58.14%201.12.23%201.62.27Zm2.43-8.88c-.06%200-.12-.01-.19-.02l-4.85-1.23a.75.75%200%200%201%20.37-1.45l4.85%201.23a.748.748%200%200%201-.18%201.47Z%22%20fill%3D%22%23228e6c%22%20%2F%3E%20%3Cpath%20d%3D%22M14.56%2013.89c-.06%200-.12-.01-.19-.02l-2.91-.74a.75.75%200%200%201%20.37-1.45l2.91.74c.4.1.64.51.54.91-.08.34-.38.56-.72.56Z%22%20fill%3D%22%23228e6c%22%20%2F%3E%20%3C%2Fsvg%3E" type="image/svg+xml">
<link rel="stylesheet" href="..\style\style.css">
<link rel="stylesheet" href="..\style\katex.css">
</head>
<body><nav class="header-nav"><div class="max-container"><a href="..\index.html" class="logo"><svg viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg" height="1em" width="1em">
  <path d="m21.66 10.44-.98 4.18c-.84 3.61-2.5 5.07-5.62 4.77-.5-.04-1.04-.13-1.62-.27l-1.68-.4c-4.17-.99-5.46-3.05-4.48-7.23l.98-4.19c.2-.85.44-1.59.74-2.2 1.17-2.42 3.16-3.07 6.5-2.28l1.67.39c4.19.98 5.47 3.05 4.49 7.23Z" fill="#c9d1d9"></path>
  <path d="M15.06 19.39c-.62.42-1.4.77-2.35 1.08l-1.58.52c-3.97 1.28-6.06.21-7.35-3.76L2.5 13.28c-1.28-3.97-.22-6.07 3.75-7.35l1.58-.52c.41-.13.8-.24 1.17-.31-.3.61-.54 1.35-.74 2.2l-.98 4.19c-.98 4.18.31 6.24 4.48 7.23l1.68.4c.58.14 1.12.23 1.62.27Zm2.43-8.88c-.06 0-.12-.01-.19-.02l-4.85-1.23a.75.75 0 0 1 .37-1.45l4.85 1.23a.748.748 0 0 1-.18 1.47Z" fill="#228e6c"></path>
  <path d="M14.56 13.89c-.06 0-.12-.01-.19-.02l-2.91-.74a.75.75 0 0 1 .37-1.45l2.91.74c.4.1.64.51.54.91-.08.34-.38.56-.72.56Z" fill="#228e6c"></path>
</svg>
<span class="title">Quick Reference</span></a><div class="menu"><a href="javascript:void(0);" class="searchbtn" id="searchbtn"><svg xmlns="http://www.w3.org/2000/svg" height="1em" width="1em" viewBox="0 0 18 18">
  <path fill="currentColor" d="M17.71,16.29 L14.31,12.9 C15.4069846,11.5024547 16.0022094,9.77665502 16,8 C16,3.581722 12.418278,0 8,0 C3.581722,0 0,3.581722 0,8 C0,12.418278 3.581722,16 8,16 C9.77665502,16.0022094 11.5024547,15.4069846 12.9,14.31 L16.29,17.71 C16.4777666,17.8993127 16.7333625,18.0057983 17,18.0057983 C17.2666375,18.0057983 17.5222334,17.8993127 17.71,17.71 C17.8993127,17.5222334 18.0057983,17.2666375 18.0057983,17 C18.0057983,16.7333625 17.8993127,16.4777666 17.71,16.29 Z M2,8 C2,4.6862915 4.6862915,2 8,2 C11.3137085,2 14,4.6862915 14,8 C14,11.3137085 11.3137085,14 8,14 C4.6862915,14 2,11.3137085 2,8 Z"></path>
</svg><span>搜索</span><span>⌘K</span></a><a href="https://github.com/jaywcjlove/reference/blob/main/docs/iptables.md" class="" target="__blank"><svg viewBox="0 0 36 36" fill="currentColor" height="1em" width="1em"><path d="m33 6.4-3.7-3.7a1.71 1.71 0 0 0-2.36 0L23.65 6H6a2 2 0 0 0-2 2v22a2 2 0 0 0 2 2h22a2 2 0 0 0 2-2V11.76l3-3a1.67 1.67 0 0 0 0-2.36ZM18.83 20.13l-4.19.93 1-4.15 9.55-9.57 3.23 3.23ZM29.5 9.43 26.27 6.2l1.85-1.85 3.23 3.23Z"></path><path fill="none" d="M0 0h36v36H0z"></path></svg><span>编辑</span></a><button id="darkMode" type="button"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="currentColor" class="light" height="1em" width="1em">
  <path d="M6.995 12c0 2.761 2.246 5.007 5.007 5.007s5.007-2.246 5.007-5.007-2.246-5.007-5.007-5.007S6.995 9.239 6.995 12zM11 19h2v3h-2zm0-17h2v3h-2zm-9 9h3v2H2zm17 0h3v2h-3zM5.637 19.778l-1.414-1.414 2.121-2.121 1.414 1.414zM16.242 6.344l2.122-2.122 1.414 1.414-2.122 2.122zM6.344 7.759 4.223 5.637l1.415-1.414 2.12 2.122zm13.434 10.605-1.414 1.414-2.122-2.122 1.414-1.414z"></path>
</svg>
<svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" viewBox="0 0 24 24" class="dark" height="1em" width="1em">
  <path d="M12 11.807A9.002 9.002 0 0 1 10.049 2a9.942 9.942 0 0 0-5.12 2.735c-3.905 3.905-3.905 10.237 0 14.142 3.906 3.906 10.237 3.905 14.143 0a9.946 9.946 0 0 0 2.735-5.119A9.003 9.003 0 0 1 12 11.807z"></path>
</svg>
</button><script src="../js/dark.js?v=1.4.1"></script><a href="https://github.com/jaywcjlove/reference" class="" target="__blank"><svg viewBox="0 0 16 16" fill="currentColor" height="1em" width="1em"><path d="M8 0C3.58 0 0 3.58 0 8c0 3.54 2.29 6.53 5.47 7.59.4.07.55-.17.55-.38 0-.19-.01-.82-.01-1.49-2.01.37-2.53-.49-2.69-.94-.09-.23-.48-.94-.82-1.13-.28-.15-.68-.52-.01-.53.63-.01 1.08.58 1.23.82.72 1.21 1.87.87 2.33.66.07-.52.28-.87.51-1.07-1.78-.2-3.64-.89-3.64-3.95 0-.87.31-1.59.82-2.15-.08-.2-.36-1.02.08-2.12 0 0 .67-.21 2.2.82.64-.18 1.32-.27 2-.27.68 0 1.36.09 2 .27 1.53-1.04 2.2-.82 2.2-.82.44 1.1.16 1.92.08 2.12.51.56.82 1.27.82 2.15 0 3.07-1.87 3.75-3.65 3.95.29.25.54.73.54 1.48 0 1.07-.01 1.93-.01 2.2 0 .21.15.46.55.38A8.012 8.012 0 0 0 16 8c0-4.42-3.58-8-8-8z"></path></svg></a></div></div></nav><div class="wrap h1body-exist max-container"><header class="wrap-header h1wrap"><h1 id="iptables-备忘清单"><svg viewBox="0 0 1024 1024" xmlns="http://www.w3.org/2000/svg" fill="currentColor" height="1em" width="1em">
  <path d="M107.946667 838.4l57.173333 23.893333v-385.28l-103.68 250.026667c-17.493333 43.52 3.413333 93.44 46.506667 111.36z m832-157.866667L728.32 169.813333a85.888 85.888 0 0 0-77.226667-52.48c-11.093333 0-22.613333 1.706667-33.706666 6.4L302.933333 253.866667a85.290667 85.290667 0 0 0-46.08 110.933333l211.626667 510.72a85.248 85.248 0 0 0 110.933333 46.08l314.026667-130.133333a85.077333 85.077333 0 0 0 46.506667-110.933334zM336.213333 373.333333c-23.466667 0-42.666667-19.2-42.666666-42.666666s19.2-42.666667 42.666666-42.666667 42.666667 19.2 42.666667 42.666667-19.2 42.666667-42.666667 42.666666z m-85.333333 469.333334c0 46.933333 38.4 85.333333 85.333333 85.333333h61.866667l-147.2-355.84v270.506667z"></path>
</svg><a aria-hidden="true" tabindex="-1" href="#iptables-备忘清单"><span class="icon icon-link"></span></a>iptables 备忘清单</h1><div class="wrap-body">
<p>iptables 是一个配置 Linux 内核防火墙的命令行工具，是 <a href="https://en.wikipedia.org/wiki/Netfilter">netfilter</a> 项目的一部分。这个快速参考备忘单显示了它的常用命令使用清单</p>
</div></header><div class="menu-tocs"><div class="menu-btn"><svg aria-hidden="true" fill="currentColor" height="1em" width="1em" viewBox="0 0 16 16" version="1.1" data-view-component="true">
  <path fill-rule="evenodd" d="M2 4a1 1 0 100-2 1 1 0 000 2zm3.75-1.5a.75.75 0 000 1.5h8.5a.75.75 0 000-1.5h-8.5zm0 5a.75.75 0 000 1.5h8.5a.75.75 0 000-1.5h-8.5zm0 5a.75.75 0 000 1.5h8.5a.75.75 0 000-1.5h-8.5zM3 8a1 1 0 11-2 0 1 1 0 012 0zm-1 6a1 1 0 100-2 1 1 0 000 2z"></path>
</svg></div><div class="menu-modal"><a aria-hidden="true" class="leve2 tocs-link" data-num="2" href="#入门">入门</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#介绍">介绍</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#安装-iptables">安装 iptables</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#服务管理">服务管理</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#命令参数">命令参数</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#开始配置规则">开始配置规则</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#删除插入规则">删除/插入规则</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#显示规则">显示规则</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#列出特定链的规则">列出特定链的规则</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#保存规则">保存规则</a><a aria-hidden="true" class="leve2 tocs-link" data-num="2" href="#iptables-示例">iptables 示例</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#清空当前的所有规则和计数">清空当前的所有规则和计数</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#配置允许-ssh-端口连接">配置允许 ssh 端口连接</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#允许本地回环地址可以正常使用">允许本地回环地址可以正常使用</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#设置默认的规则">设置默认的规则</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#配置白名单">配置白名单</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#开启相应的服务端口">开启相应的服务端口</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#保存规则到配置文件中">保存规则到配置文件中</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#列出已设置的规则">列出已设置的规则</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#清除已有规则">清除已有规则</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#删除已添加的规则">删除已添加的规则</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#开放指定的端口">开放指定的端口</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#屏蔽-ip">屏蔽 IP</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#指定数据包出去的网络接口">指定数据包出去的网络接口</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#查看已添加的规则">查看已添加的规则</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#启动网络转发规则">启动网络转发规则</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#端口映射">端口映射</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#字符串匹配">字符串匹配</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#阻止-windows-蠕虫的攻击">阻止 Windows 蠕虫的攻击</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#防止-syn-洪水攻击">防止 SYN 洪水攻击</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#允许环回连接">允许环回连接</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#允许已建立和相关的传入连接">允许已建立和相关的传入连接</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#允许已建立的传出连接">允许已建立的传出连接</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#内部到外部">内部到外部</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#丢弃无效数据包">丢弃无效数据包</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#阻止-ip-地址">阻止 IP 地址</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#阻止和-ip-地址并拒绝">阻止和 IP 地址并拒绝</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#阻止与网络接口的连接">阻止与网络接口的连接</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#允许所有传入的-ssh">允许所有传入的 SSH</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#允许来自特定-ip-地址或子网的传入-ssh">允许来自特定 IP 地址或子网的传入 SSH</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#允许传出-ssh">允许传出 SSH</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#允许来自特定-ip-地址或子网的传入-rsync">允许来自特定 IP 地址或子网的传入 Rsync</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#允许传入-http">允许传入 HTTP</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#允许传入-https">允许传入 HTTPS</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#允许传入-http-和-https">允许传入 HTTP 和 HTTPS</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#允许来自特定-ip-地址或子网的-mysql">允许来自特定 IP 地址或子网的 MySQL</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#允许-mysql-到特定的网络接口">允许 MySQL 到特定的网络接口</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#允许来自特定-ip-地址或子网的-postgresql">允许来自特定 IP 地址或子网的 PostgreSQL</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#允许-postgresql-到特定的网络接口">允许 PostgreSQL 到特定的网络接口</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#阻止传出-smtp-邮件">阻止传出 SMTP 邮件</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#允许所有传入的-smtp">允许所有传入的 SMTP</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#允许所有传入的-imap">允许所有传入的 IMAP</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#允许所有传入的-imaps">允许所有传入的 IMAPS</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#允许所有传入的-pop3">允许所有传入的 POP3</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#允许所有传入的-pop3s">允许所有传入的 POP3S</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#在公共接口上删除专用网络地址">在公共接口上删除专用网络地址</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#将所有传出到-facebook-网络">将所有传出到 Facebook 网络</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#记录和丢弃数据包">记录和丢弃数据包</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#记录和丢弃日志条目数量有限的数据包">记录和丢弃日志条目数量有限的数据包</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#丢弃或接受来自-mac-地址的流量">丢弃或接受来自 Mac 地址的流量</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#阻止或允许-icmp-ping-请求">阻止或允许 ICMP Ping 请求</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#使用-multiport-指定多个端口">使用 multiport 指定多个端口</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#使用-random-或-nth-进行负载平衡">使用 random* 或 nth* 进行负载平衡</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#使用-limit-和-iplimit-限制连接数">使用 limit 和 iplimit* 限制连接数</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#维护要匹配的最近连接列表">维护要匹配的最近连接列表</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#匹配数据包数据负载中的-string">匹配数据包数据负载中的 “string*”</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#带有时间的基于时间的规则">带有“时间*”的基于时间的规则</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#基于-ttl-值的数据包匹配">基于 TTL 值的数据包匹配</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#防止端口扫描">防止端口扫描</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#ssh-暴力破解保护">SSH 暴力破解保护</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#同步泛洪保护">同步泛洪保护</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#使用-synproxy-缓解-syn-泛洪">使用 SYNPROXY 缓解 SYN 泛洪</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#阻止非-syn-的新数据包">阻止非 SYN 的新数据包</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#强制碎片数据包检查">强制碎片数据包检查</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#xmas-包">XMAS 包</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#丢弃所有-null-数据包">丢弃所有 NULL 数据包</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#阻止不常见的-mss-值">阻止不常见的 MSS 值</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#阻止带有虚假-tcp-标志的数据包">阻止带有虚假 TCP 标志的数据包</a><a aria-hidden="true" class="leve3 tocs-link" data-num="3" href="#阻止来自私有子网的数据包欺骗">阻止来自私有子网的数据包（欺骗）</a><a aria-hidden="true" class="leve2 tocs-link" data-num="2" href="#另见">另见</a></div></div><div class="h1wrap-body"><div class="wrap h2body-exist"><div class="wrap-header h2wrap"><h2 id="入门"><a aria-hidden="true" tabindex="-1" href="#入门"><span class="icon icon-link"></span></a>入门</h2><div class="wrap-body">
</div></div><div class="h2wrap-body"><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="介绍"><a aria-hidden="true" tabindex="-1" href="#介绍"><span class="icon icon-link"></span></a>介绍</h3><div class="wrap-body">
<p>iptables 使用三个不同的链来允许或阻止流量：输入(input)、输出(output)和转发(forward)</p>
<ul>
<li>输入(input) —— 此链用于控制传入连接的行为</li>
<li>输出(output) —— 此链用于传出连接</li>
<li>转发(forward) —— 这条链用于传入的连接，这些连接实际上不是在本地传递的，比如路由和 NATing</li>
</ul>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="安装-iptables"><a aria-hidden="true" tabindex="-1" href="#安装-iptables"><span class="icon icon-link"></span></a>安装 iptables</h3><div class="wrap-body">
<p>CentOS 7 上默认安装了 firewalld 作为防火墙，使用 iptables 建议关闭并禁用 firewalld。</p>
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ systemctl stop firewalld
</span><span class="code-line">$ systemctl disable firewalld
</span></code></pre>
<p>安装 iptables</p>
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ yum <span class="token function">install</span> <span class="token parameter variable">-y</span> iptables-services
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="服务管理"><a aria-hidden="true" tabindex="-1" href="#服务管理"><span class="icon icon-link"></span></a>服务管理</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ systemctl status iptables  <span class="token comment"># 查看服务状态</span>
</span><span class="code-line">$ systemctl <span class="token builtin class-name">enable</span> iptables  <span class="token comment"># 启用服务</span>
</span><span class="code-line">$ systemctl disable iptables <span class="token comment"># 禁用服务</span>
</span><span class="code-line">$ systemctl start iptables   <span class="token comment"># 启动服务</span>
</span><span class="code-line">$ systemctl restart iptables <span class="token comment"># 重启服务</span>
</span><span class="code-line">$ systemctl stop iptables    <span class="token comment"># 关闭服务</span>
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist row-span-3"><div class="wrap-header h3wrap"><h3 id="命令参数"><a aria-hidden="true" tabindex="-1" href="#命令参数"><span class="icon icon-link"></span></a>命令参数</h3><div class="wrap-body">
<!--rehype:wrap-class=row-span-3-->
<p>基本语法：</p>
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables<span class="token punctuation">(</span>选项<span class="token punctuation">)</span><span class="token punctuation">(</span>参数<span class="token punctuation">)</span>
</span></code></pre>
<hr>





























































<table><thead><tr><th align="left">参数</th><th>作用</th></tr></thead><tbody><tr><td align="left"><code>-P</code></td><td>设置默认策略: <br><em>iptables -P INPUT (DROP</em></td></tr><tr><td align="left"><code>-F</code></td><td>清空规则链</td></tr><tr><td align="left"><code>-L</code></td><td>查看规则链</td></tr><tr><td align="left"><code>-A</code></td><td>在规则链的末尾加入新规则</td></tr><tr><td align="left"><code>-I</code></td><td><code>num</code> 在规则链的头部加入新规则</td></tr><tr><td align="left"><code>-D</code></td><td><code>num</code> 删除某一条规则</td></tr><tr><td align="left"><code>-s</code></td><td>匹配来源地址 <code>IP/MASK</code> <br>加叹号"!"表示除这个 <code>IP</code> 外</td></tr><tr><td align="left"><code>-d</code></td><td>匹配目标地址</td></tr><tr><td align="left"><code>-i</code></td><td>网卡名称 匹配从这块网卡流入的数据</td></tr><tr><td align="left"><code>-o</code></td><td>网卡名称 匹配从这块网卡流出的数据</td></tr><tr><td align="left"><code>-p</code></td><td>匹配协议,如 tcp,udp,icmp</td></tr><tr><td align="left"><code>--dport num</code></td><td>匹配目标端口号</td></tr><tr><td align="left"><code>--sport num</code></td><td>匹配来源端口号</td></tr></tbody></table>
<hr>
<pre class="wrap-text"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-t</span> 表名 <span class="token operator">&#x3C;</span>-A/I/D/R<span class="token operator">></span> 规则链名 <span class="token punctuation">[</span>规则号<span class="token punctuation">]</span> <span class="token operator">&#x3C;</span>-i/o 网卡名<span class="token operator">></span> <span class="token parameter variable">-p</span> 协议名 <span class="token operator">&#x3C;</span>-s 源IP/源子网<span class="token operator">></span> <span class="token parameter variable">--sport</span> 源端口 <span class="token operator">&#x3C;</span>-d 目标IP/目标子网<span class="token operator">></span> <span class="token parameter variable">--dport</span> 目标端口 <span class="token parameter variable">-j</span> 动作
</span></code></pre>
<!--rehype:className=wrap-text-->
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="开始配置规则"><a aria-hidden="true" tabindex="-1" href="#开始配置规则"><span class="icon icon-link"></span></a>开始配置规则</h3><div class="wrap-body">
<p>默认情况下，所有链都配置为接受规则，因此在强化过程中，建议从拒绝所有配置开始，然后只打开需要的端口：</p>
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">--policy</span> INPUT DROP
</span><span class="code-line">$ iptables <span class="token parameter variable">--policy</span> OUTPUT DROP
</span><span class="code-line">$ iptables <span class="token parameter variable">--policy</span> FORWARD DROP
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist row-span-2"><div class="wrap-header h3wrap"><h3 id="删除插入规则"><a aria-hidden="true" tabindex="-1" href="#删除插入规则"><span class="icon icon-link"></span></a>删除/插入规则</h3><div class="wrap-body">
<!--rehype:wrap-class=row-span-2-->
<p>按链条和编号删除规则</p>
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-D</span> INPUT <span class="token number">10</span>
</span></code></pre>
<p>按规范删除规则</p>
<pre class="wrap-text"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-D</span> INPUT <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> INVALID <span class="token parameter variable">-j</span> DROP
</span></code></pre>
<!--rehype:className=wrap-text-->
<p>刷新所有规则，删除所有链，并接受所有</p>
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-P</span> INPUT ACCEPT
</span><span class="code-line">$ iptables <span class="token parameter variable">-P</span> FORWARD ACCEPT
</span><span class="code-line">$ iptables <span class="token parameter variable">-P</span> OUTPUT ACCEPT
</span><span class="code-line">$ iptables <span class="token parameter variable">-t</span> nat <span class="token parameter variable">-F</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-t</span> mangle <span class="token parameter variable">-F</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-F</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-X</span>
</span></code></pre>
<hr>
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line"><span class="token comment"># 冲洗所有链</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-F</span>
</span><span class="code-line"><span class="token comment"># 刷新单链</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-F</span> INPUT
</span><span class="code-line"><span class="token comment"># 插入规则</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-I</span> INPUT <span class="token number">2</span> <span class="token parameter variable">-s</span> <span class="token number">202.54</span>.1.2 <span class="token parameter variable">-j</span> DROP
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="显示规则"><a aria-hidden="true" tabindex="-1" href="#显示规则"><span class="icon icon-link"></span></a>显示规则</h3><div class="wrap-body">
<p>详细打印出所有活动的 <code>iptables</code> 规则</p>
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-n</span> <span class="token parameter variable">-L</span> <span class="token parameter variable">-v</span>
</span></code></pre>
<p>...具有行号的相同输出：</p>
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-n</span> <span class="token parameter variable">-L</span> <span class="token parameter variable">-v</span> --line-numbers
</span></code></pre>
<p>最后，相同的数据输出但与 <code>INPUT</code>/<code>OUTPUT</code> 链相关：</p>
<pre class="wrap-text"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-L</span> INPUT <span class="token parameter variable">-n</span> <span class="token parameter variable">-viptables</span> <span class="token parameter variable">-L</span> OUTPUT <span class="token parameter variable">-n</span> <span class="token parameter variable">-v</span> --line-numbers
</span></code></pre>
<!--rehype:className=wrap-text-->
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="列出特定链的规则"><a aria-hidden="true" tabindex="-1" href="#列出特定链的规则"><span class="icon icon-link"></span></a>列出特定链的规则</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-L</span> INPUT
</span><span class="code-line"><span class="token comment"># 具有规则规范的相同数据：</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-S</span> INPUT
</span><span class="code-line"><span class="token comment"># 包含数据包计数的规则列表</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-L</span> INPUT <span class="token parameter variable">-v</span>
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="保存规则"><a aria-hidden="true" tabindex="-1" href="#保存规则"><span class="icon icon-link"></span></a>保存规则</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line"><span class="token comment"># 在基于 Debian 的系统上</span>
</span><span class="code-line">$ netfilter-persistent save
</span><span class="code-line"><span class="token comment"># 在基于 RedHat 的系统上</span>
</span><span class="code-line">$ <span class="token function">service</span> iptables save
</span></code></pre>
</div></div></div></div></div><div class="wrap h2body-exist"><div class="wrap-header h2wrap"><h2 id="iptables-示例"><a aria-hidden="true" tabindex="-1" href="#iptables-示例"><span class="icon icon-link"></span></a>iptables 示例</h2><div class="wrap-body">
<!--rehype:body-class=cols-2-->
</div></div><div class="h2wrap-body cols-2"><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="清空当前的所有规则和计数"><a aria-hidden="true" tabindex="-1" href="#清空当前的所有规则和计数"><span class="icon icon-link"></span></a>清空当前的所有规则和计数</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-F</span>  <span class="token comment"># 清空所有的防火墙规则</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-X</span>  <span class="token comment"># 删除用户自定义的空链</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-Z</span>  <span class="token comment"># 清空计数</span>
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="配置允许-ssh-端口连接"><a aria-hidden="true" tabindex="-1" href="#配置允许-ssh-端口连接"><span class="icon icon-link"></span></a>配置允许 ssh 端口连接</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-s</span> <span class="token number">192.168</span>.1.0/24 <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token number">22</span> <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
<p><code>22</code> 为你的 <code>ssh</code> 端口， <code>-s 192.168.1.0/24</code> 表示允许这个网段的机器来连接，其它网段的 <code>ip</code> 地址是登陆不了你的机器的。<code>-j ACCEPT</code> 表示接受这样的请求</p>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="允许本地回环地址可以正常使用"><a aria-hidden="true" tabindex="-1" href="#允许本地回环地址可以正常使用"><span class="icon icon-link"></span></a>允许本地回环地址可以正常使用</h3><div class="wrap-body">
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-i</span> lo <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line"><span class="token comment"># 本地圆环地址就是那个127.0.0.1</span>
</span><span class="code-line"><span class="token comment"># 是本机上使用的,它进与出都设置为允许</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> OUTPUT <span class="token parameter variable">-o</span> lo <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="设置默认的规则"><a aria-hidden="true" tabindex="-1" href="#设置默认的规则"><span class="icon icon-link"></span></a>设置默认的规则</h3><div class="wrap-body">
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line"><span class="token comment"># 配置默认的不让进</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-P</span> INPUT DROP
</span><span class="code-line"><span class="token comment"># 默认的不允许转发</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-P</span> FORWARD DROP
</span><span class="code-line"><span class="token comment"># 默认的可以出去</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-P</span> OUTPUT ACCEPT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="配置白名单"><a aria-hidden="true" tabindex="-1" href="#配置白名单"><span class="icon icon-link"></span></a>配置白名单</h3><div class="wrap-body">
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line"><span class="token comment"># 允许机房内网机器可以访问</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> all <span class="token parameter variable">-s</span> <span class="token number">192.168</span>.1.0/24 <span class="token parameter variable">-j</span> ACCEPT 
</span><span class="code-line"><span class="token comment"># 允许机房内网机器可以访问</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> all <span class="token parameter variable">-s</span> <span class="token number">192.168</span>.140.0/24 <span class="token parameter variable">-j</span> ACCEPT 
</span><span class="code-line"><span class="token comment"># 允许 183.121.3.7 访问本机的3380端口</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">-s</span> <span class="token number">183.121</span>.3.7 <span class="token parameter variable">--dport</span> <span class="token number">3380</span> <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="开启相应的服务端口"><a aria-hidden="true" tabindex="-1" href="#开启相应的服务端口"><span class="icon icon-link"></span></a>开启相应的服务端口</h3><div class="wrap-body">
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line"><span class="token comment"># 开启 80 端口，因为web对外都是这个端口</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token number">80</span> <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line"><span class="token comment"># 允许被 ping</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> icmp --icmp-type <span class="token number">8</span> <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line"><span class="token comment"># 已经建立的连接得让它进来</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-m</span> state <span class="token parameter variable">--state</span> ESTABLISHED,RELATED <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="保存规则到配置文件中"><a aria-hidden="true" tabindex="-1" href="#保存规则到配置文件中"><span class="icon icon-link"></span></a>保存规则到配置文件中</h3><div class="wrap-body">
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line"><span class="token comment"># 任何改动之前先备份，请保持这一优秀的习惯</span>
</span><span class="code-line">$ <span class="token function">cp</span> /etc/sysconfig/iptables /etc/sysconfig/iptables.bak
</span><span class="code-line">$ iptables-save <span class="token operator">></span> /etc/sysconfig/iptables
</span><span class="code-line">$ <span class="token function">cat</span> /etc/sysconfig/iptables
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist row-span-2"><div class="wrap-header h3wrap"><h3 id="列出已设置的规则"><a aria-hidden="true" tabindex="-1" href="#列出已设置的规则"><span class="icon icon-link"></span></a>列出已设置的规则</h3><div class="wrap-body">
<!--rehype:wrap-class=row-span-2-->
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-L</span> <span class="token punctuation">[</span>-t 表名<span class="token punctuation">]</span><span class="token punctuation">[</span>链名<span class="token punctuation">]</span>
</span></code></pre>
<hr>
<ul>
<li>四个表名 <code>raw</code>，<code>nat</code>，<code>filter</code>，<code>mangle</code></li>
<li>五个规则链名 <code>INPUT</code>、<code>OUTPUT</code>、<code>FORWARD</code>、<code>PREROUTING</code>、<code>POSTROUTING</code></li>
<li>filter 表包含<code>INPUT</code>、<code>OUTPUT</code>、<code>FORWARD</code>三个规则链</li>
</ul>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line"><span class="token comment"># 列出 nat 上面的所有规则</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-L</span> <span class="token parameter variable">-t</span> nat                
</span><span class="code-line"><span class="token comment">#            ^ -t 参数指定，必须是 raw， nat，filter，mangle 中的一个</span>
</span><span class="code-line"><span class="token comment"># 规则带编号</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-L</span> <span class="token parameter variable">-t</span> nat  --line-numbers
</span><span class="code-line">$ iptables <span class="token parameter variable">-L</span> INPUT
</span><span class="code-line"><span class="token comment"># 查看，这个列表看起来更详细</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-L</span> <span class="token parameter variable">-nv</span>
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="清除已有规则"><a aria-hidden="true" tabindex="-1" href="#清除已有规则"><span class="icon icon-link"></span></a>清除已有规则</h3><div class="wrap-body">
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line"><span class="token comment"># 清空指定链 INPUT 上面的所有规则</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-F</span> INPUT
</span><span class="code-line"><span class="token comment"># 删除指定的链，这个链必须没有被其它任何规则引用，</span>
</span><span class="code-line"><span class="token comment"># 而且这条上必须没有任何规则</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-X</span> INPUT
</span><span class="code-line">    <span class="token comment"># 如果没有指定链名，则会删除该表中所有非内置的链</span>
</span><span class="code-line"><span class="token comment"># 把指定链，或者表中的所有链上的所有计数器清零</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-Z</span> INPUT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="删除已添加的规则"><a aria-hidden="true" tabindex="-1" href="#删除已添加的规则"><span class="icon icon-link"></span></a>删除已添加的规则</h3><div class="wrap-body">
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line"><span class="token comment"># 添加一条规则</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-s</span> <span class="token number">192.168</span>.1.5 <span class="token parameter variable">-j</span> DROP
</span></code></pre>
<p>将所有 iptables 以序号标记显示，执行：</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-L</span> <span class="token parameter variable">-n</span> --line-numbers
</span></code></pre>
<p>比如要删除 INPUT 里序号为 8 的规则，执行：</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-D</span> INPUT <span class="token number">8</span>
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist row-span-2"><div class="wrap-header h3wrap"><h3 id="开放指定的端口"><a aria-hidden="true" tabindex="-1" href="#开放指定的端口"><span class="icon icon-link"></span></a>开放指定的端口</h3><div class="wrap-body">
<!--rehype:wrap-class=row-span-2-->
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line"><span class="token comment"># 允许本地回环接口(即运行本机访问本机)</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-s</span> <span class="token number">127.0</span>.0.1 <span class="token parameter variable">-d</span> <span class="token number">127.0</span>.0.1 <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line"><span class="token comment"># 允许已建立的或相关连的通行</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-m</span> state <span class="token parameter variable">--state</span> ESTABLISHED,RELATED <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line"><span class="token comment"># 允许所有本机向外的访问</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> OUTPUT <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line"><span class="token comment"># 允许访问22端口</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token number">22</span> <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line"><span class="token comment"># 允许访问80端口</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token number">80</span> <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line"><span class="token comment"># 允许ftp服务的21端口</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token number">21</span> <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line"><span class="token comment"># 允许FTP服务的20端口</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token number">20</span> <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line"><span class="token comment"># 禁止其他未允许的规则访问</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-j</span> reject
</span><span class="code-line"><span class="token comment"># 禁止其他未允许的规则访问</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> FORWARD <span class="token parameter variable">-j</span> REJECT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist row-span-2"><div class="wrap-header h3wrap"><h3 id="屏蔽-ip"><a aria-hidden="true" tabindex="-1" href="#屏蔽-ip"><span class="icon icon-link"></span></a>屏蔽 IP</h3><div class="wrap-body">
<!--rehype:wrap-class=row-span-2-->
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line"><span class="token comment"># 屏蔽恶意主机（比如，192.168.0.8</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">-m</span> tcp <span class="token parameter variable">-s</span> <span class="token number">192.168</span>.0.8 <span class="token parameter variable">-j</span> DROP
</span><span class="code-line"><span class="token comment"># 屏蔽单个IP的命令</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-I</span> INPUT <span class="token parameter variable">-s</span> <span class="token number">123.45</span>.6.7 <span class="token parameter variable">-j</span> DROP
</span><span class="code-line"><span class="token comment"># 封整个段即从123.0.0.1到123.255.255.254的命令</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-I</span> INPUT <span class="token parameter variable">-s</span> <span class="token number">123.0</span>.0.0/8 <span class="token parameter variable">-j</span> DROP
</span><span class="code-line"><span class="token comment"># 封IP段即从123.45.0.1到123.45.255.254的命令</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-I</span> INPUT <span class="token parameter variable">-s</span> <span class="token number">124.45</span>.0.0/16 <span class="token parameter variable">-j</span> DROP
</span><span class="code-line"><span class="token comment"># 封IP段即从123.45.6.1到123.45.6.254的命令是</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-I</span> INPUT <span class="token parameter variable">-s</span> <span class="token number">123.45</span>.6.0/24 <span class="token parameter variable">-j</span> DROP
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="指定数据包出去的网络接口"><a aria-hidden="true" tabindex="-1" href="#指定数据包出去的网络接口"><span class="icon icon-link"></span></a>指定数据包出去的网络接口</h3><div class="wrap-body">
<p>只对 OUTPUT，FORWARD，POSTROUTING 三个链起作用。</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> FORWARD <span class="token parameter variable">-o</span> eth0
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist row-span-2"><div class="wrap-header h3wrap"><h3 id="查看已添加的规则"><a aria-hidden="true" tabindex="-1" href="#查看已添加的规则"><span class="icon icon-link"></span></a>查看已添加的规则</h3><div class="wrap-body">
<!--rehype:wrap-class=row-span-2-->
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-L</span> <span class="token parameter variable">-n</span> <span class="token parameter variable">-v</span>
</span><span class="code-line">Chain INPUT <span class="token punctuation">(</span>policy DROP <span class="token number">48106</span> packets, 2690K bytes<span class="token punctuation">)</span>
</span><span class="code-line"> pkts bytes target     prot opt <span class="token keyword">in</span>     out     <span class="token builtin class-name">source</span>               destination
</span><span class="code-line"> <span class="token number">5075</span>  589K ACCEPT     all  --  lo     *       <span class="token number">0.0</span>.0.0/0            <span class="token number">0.0</span>.0.0/0
</span><span class="code-line"> 191K   90M ACCEPT     tcp  --  *      *       <span class="token number">0.0</span>.0.0/0            <span class="token number">0.0</span>.0.0/0           tcp dpt:22
</span><span class="code-line">1499K  133M ACCEPT     tcp  --  *      *       <span class="token number">0.0</span>.0.0/0            <span class="token number">0.0</span>.0.0/0           tcp dpt:80
</span><span class="code-line">4364K 6351M ACCEPT     all  --  *      *       <span class="token number">0.0</span>.0.0/0            <span class="token number">0.0</span>.0.0/0           state RELATED,ESTABLISHED
</span><span class="code-line"> <span class="token number">6256</span>  327K ACCEPT     icmp --  *      *       <span class="token number">0.0</span>.0.0/0            <span class="token number">0.0</span>.0.0/0
</span><span class="code-line">Chain FORWARD <span class="token punctuation">(</span>policy ACCEPT <span class="token number">0</span> packets, <span class="token number">0</span> bytes<span class="token punctuation">)</span>
</span><span class="code-line"> pkts bytes target     prot opt <span class="token keyword">in</span>     out     <span class="token builtin class-name">source</span>               destination
</span><span class="code-line">Chain OUTPUT <span class="token punctuation">(</span>policy ACCEPT 3382K packets, 1819M bytes<span class="token punctuation">)</span>
</span><span class="code-line"> pkts bytes target     prot opt <span class="token keyword">in</span>     out     <span class="token builtin class-name">source</span>               destination
</span><span class="code-line"> <span class="token number">5075</span>  589K ACCEPT     all  --  *      lo      <span class="token number">0.0</span>.0.0/0            <span class="token number">0.0</span>.0.0/0
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="启动网络转发规则"><a aria-hidden="true" tabindex="-1" href="#启动网络转发规则"><span class="icon icon-link"></span></a>启动网络转发规则</h3><div class="wrap-body">
<p>公网<code>210.14.67.7</code>让内网<code>192.168.188.0/24</code>上网</p>
<pre class="wrap-text"><code class="language-shell code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-t</span> nat <span class="token parameter variable">-A</span> POSTROUTING <span class="token parameter variable">-s</span> <span class="token number">192.168</span>.188.0/24 <span class="token parameter variable">-j</span> SNAT --to-source <span class="token number">210.14</span>.67.127
</span></code></pre>
<!--rehype:className=wrap-text-->
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="端口映射"><a aria-hidden="true" tabindex="-1" href="#端口映射"><span class="icon icon-link"></span></a>端口映射</h3><div class="wrap-body">
<p>本机的 2222 端口映射到内网 虚拟机的 22 端口</p>
<pre class="wrap-text"><code class="language-shell code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-t</span> nat <span class="token parameter variable">-A</span> PREROUTING <span class="token parameter variable">-d</span> <span class="token number">210.14</span>.67.127 <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token number">2222</span>  <span class="token parameter variable">-j</span> DNAT --to-dest <span class="token number">192.168</span>.188.115:22
</span></code></pre>
<!--rehype:className=wrap-text-->
</div></div></div><div class="wrap h3body-not-exist row-span-2"><div class="wrap-header h3wrap"><h3 id="字符串匹配"><a aria-hidden="true" tabindex="-1" href="#字符串匹配"><span class="icon icon-link"></span></a>字符串匹配</h3><div class="wrap-body">
<!--rehype:wrap-class=row-span-2-->
<p>比如，我们要过滤所有 TCP 连接中的字符串<code>test</code>，一旦出现它我们就终止这个连接，我们可以这么做：</p>
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">-m</span> string <span class="token parameter variable">--algo</span> kmp <span class="token parameter variable">--string</span> <span class="token string">"test"</span> <span class="token parameter variable">-j</span> REJECT --reject-with tcp-reset
</span><span class="code-line">$ iptables <span class="token parameter variable">-L</span>
</span><span class="code-line"><span class="token comment"># Chain INPUT (policy ACCEPT)</span>
</span><span class="code-line"><span class="token comment"># target     prot opt source          destination</span>
</span><span class="code-line"><span class="token comment"># REJECT     tcp  --  anywhere        anywhere        STRING match "test" ALGO name kmp TO 65535 reject-with tcp-reset</span>
</span><span class="code-line"><span class="token comment">#</span>
</span><span class="code-line"><span class="token comment"># Chain FORWARD (policy ACCEPT)</span>
</span><span class="code-line"><span class="token comment"># target     prot opt source          destination</span>
</span><span class="code-line"><span class="token comment">#</span>
</span><span class="code-line"><span class="token comment"># Chain OUTPUT (policy ACCEPT)</span>
</span><span class="code-line"><span class="token comment"># target     prot opt source          destination</span>
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="阻止-windows-蠕虫的攻击"><a aria-hidden="true" tabindex="-1" href="#阻止-windows-蠕虫的攻击"><span class="icon icon-link"></span></a>阻止 Windows 蠕虫的攻击</h3><div class="wrap-body">
<pre class="wrap-text"><code class="language-shell code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-I</span> INPUT <span class="token parameter variable">-j</span> DROP <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">-s</span> <span class="token number">0.0</span>.0.0/0 <span class="token parameter variable">-m</span> string <span class="token parameter variable">--algo</span> kmp <span class="token parameter variable">--string</span> <span class="token string">"cmd.exe"</span>
</span></code></pre>
<!--rehype:className=wrap-text-->
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="防止-syn-洪水攻击"><a aria-hidden="true" tabindex="-1" href="#防止-syn-洪水攻击"><span class="icon icon-link"></span></a>防止 SYN 洪水攻击</h3><div class="wrap-body">
<pre class="language-shell"><code class="language-shell code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--syn</span> <span class="token parameter variable">-m</span> limit <span class="token parameter variable">--limit</span> <span class="token number">5</span>/second <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="允许环回连接"><a aria-hidden="true" tabindex="-1" href="#允许环回连接"><span class="icon icon-link"></span></a>允许环回连接</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-i</span> lo <span class="token parameter variable">-j</span> ACCEPTiptables <span class="token parameter variable">-A</span> OUTPUT <span class="token parameter variable">-o</span> lo <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="允许已建立和相关的传入连接"><a aria-hidden="true" tabindex="-1" href="#允许已建立和相关的传入连接"><span class="icon icon-link"></span></a>允许已建立和相关的传入连接</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> ESTABLISHED,RELATED <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="允许已建立的传出连接"><a aria-hidden="true" tabindex="-1" href="#允许已建立的传出连接"><span class="icon icon-link"></span></a>允许已建立的传出连接</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> OUTPUT <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="内部到外部"><a aria-hidden="true" tabindex="-1" href="#内部到外部"><span class="icon icon-link"></span></a>内部到外部</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> FORWARD <span class="token parameter variable">-i</span> eth1 <span class="token parameter variable">-o</span> eth0 <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="丢弃无效数据包"><a aria-hidden="true" tabindex="-1" href="#丢弃无效数据包"><span class="icon icon-link"></span></a>丢弃无效数据包</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> INVALID <span class="token parameter variable">-j</span> DROP
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="阻止-ip-地址"><a aria-hidden="true" tabindex="-1" href="#阻止-ip-地址"><span class="icon icon-link"></span></a>阻止 IP 地址</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-s</span> <span class="token number">192.168</span>.1.10 <span class="token parameter variable">-j</span> DROP
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="阻止和-ip-地址并拒绝"><a aria-hidden="true" tabindex="-1" href="#阻止和-ip-地址并拒绝"><span class="icon icon-link"></span></a>阻止和 IP 地址并拒绝</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-s</span> <span class="token number">192.168</span>.1.10 <span class="token parameter variable">-j</span> REJECT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="阻止与网络接口的连接"><a aria-hidden="true" tabindex="-1" href="#阻止与网络接口的连接"><span class="icon icon-link"></span></a>阻止与网络接口的连接</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-i</span> eth0 <span class="token parameter variable">-s</span> <span class="token number">192.168</span>.1.10 <span class="token parameter variable">-j</span> DROP
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="允许所有传入的-ssh"><a aria-hidden="true" tabindex="-1" href="#允许所有传入的-ssh"><span class="icon icon-link"></span></a>允许所有传入的 SSH</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token number">22</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> NEW,ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> OUTPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--sport</span> <span class="token number">22</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="允许来自特定-ip-地址或子网的传入-ssh"><a aria-hidden="true" tabindex="-1" href="#允许来自特定-ip-地址或子网的传入-ssh"><span class="icon icon-link"></span></a>允许来自特定 IP 地址或子网的传入 SSH</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">-s</span> <span class="token number">192.168</span>.1.0/24 <span class="token parameter variable">--dport</span> <span class="token number">22</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> NEW,ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> OUTPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--sport</span> <span class="token number">22</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="允许传出-ssh"><a aria-hidden="true" tabindex="-1" href="#允许传出-ssh"><span class="icon icon-link"></span></a>允许传出 SSH</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> OUTPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token number">22</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> NEW,ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--sport</span> <span class="token number">22</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="允许来自特定-ip-地址或子网的传入-rsync"><a aria-hidden="true" tabindex="-1" href="#允许来自特定-ip-地址或子网的传入-rsync"><span class="icon icon-link"></span></a>允许来自特定 IP 地址或子网的传入 Rsync</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">-s</span> <span class="token number">192.168</span>.1.0/24 <span class="token parameter variable">--dport</span> <span class="token number">873</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> NEW,ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> OUTPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--sport</span> <span class="token number">873</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="允许传入-http"><a aria-hidden="true" tabindex="-1" href="#允许传入-http"><span class="icon icon-link"></span></a>允许传入 HTTP</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token number">80</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> NEW,ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> OUTPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--sport</span> <span class="token number">80</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="允许传入-https"><a aria-hidden="true" tabindex="-1" href="#允许传入-https"><span class="icon icon-link"></span></a>允许传入 HTTPS</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token number">443</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> NEW,ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> OUTPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--sport</span> <span class="token number">443</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="允许传入-http-和-https"><a aria-hidden="true" tabindex="-1" href="#允许传入-http-和-https"><span class="icon icon-link"></span></a>允许传入 HTTP 和 HTTPS</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">-m</span> multiport <span class="token parameter variable">--dports</span> <span class="token number">80,443</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> NEW,ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> OUTPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">-m</span> multiport <span class="token parameter variable">--dports</span> <span class="token number">80,443</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="允许来自特定-ip-地址或子网的-mysql"><a aria-hidden="true" tabindex="-1" href="#允许来自特定-ip-地址或子网的-mysql"><span class="icon icon-link"></span></a>允许来自特定 IP 地址或子网的 MySQL</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">-s</span> <span class="token number">192.168</span>.1.0/24 <span class="token parameter variable">--dport</span> <span class="token number">3306</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> NEW,ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> OUTPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--sport</span> <span class="token number">3306</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="允许-mysql-到特定的网络接口"><a aria-hidden="true" tabindex="-1" href="#允许-mysql-到特定的网络接口"><span class="icon icon-link"></span></a>允许 MySQL 到特定的网络接口</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-i</span> eth1 <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token number">3306</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> NEW,ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> OUTPUT <span class="token parameter variable">-o</span> eth1 <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--sport</span> <span class="token number">3306</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="允许来自特定-ip-地址或子网的-postgresql"><a aria-hidden="true" tabindex="-1" href="#允许来自特定-ip-地址或子网的-postgresql"><span class="icon icon-link"></span></a>允许来自特定 IP 地址或子网的 PostgreSQL</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">-s</span> <span class="token number">192.168</span>.1.0/24 <span class="token parameter variable">--dport</span> <span class="token number">5432</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> NEW,ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> OUTPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--sport</span> <span class="token number">5432</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="允许-postgresql-到特定的网络接口"><a aria-hidden="true" tabindex="-1" href="#允许-postgresql-到特定的网络接口"><span class="icon icon-link"></span></a>允许 PostgreSQL 到特定的网络接口</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-i</span> eth1 <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token number">5432</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> NEW,ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> OUTPUT <span class="token parameter variable">-o</span> eth1 <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--sport</span> <span class="token number">5432</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="阻止传出-smtp-邮件"><a aria-hidden="true" tabindex="-1" href="#阻止传出-smtp-邮件"><span class="icon icon-link"></span></a>阻止传出 SMTP 邮件</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> OUTPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token number">25</span> <span class="token parameter variable">-j</span> REJECT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="允许所有传入的-smtp"><a aria-hidden="true" tabindex="-1" href="#允许所有传入的-smtp"><span class="icon icon-link"></span></a>允许所有传入的 SMTP</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token number">25</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> NEW,ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> OUTPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--sport</span> <span class="token number">25</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="允许所有传入的-imap"><a aria-hidden="true" tabindex="-1" href="#允许所有传入的-imap"><span class="icon icon-link"></span></a>允许所有传入的 IMAP</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token number">143</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> NEW,ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> OUTPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--sport</span> <span class="token number">143</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="允许所有传入的-imaps"><a aria-hidden="true" tabindex="-1" href="#允许所有传入的-imaps"><span class="icon icon-link"></span></a>允许所有传入的 IMAPS</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token number">993</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> NEW,ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> OUTPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--sport</span> <span class="token number">993</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="允许所有传入的-pop3"><a aria-hidden="true" tabindex="-1" href="#允许所有传入的-pop3"><span class="icon icon-link"></span></a>允许所有传入的 POP3</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token number">110</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> NEW,ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> OUTPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--sport</span> <span class="token number">110</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="允许所有传入的-pop3s"><a aria-hidden="true" tabindex="-1" href="#允许所有传入的-pop3s"><span class="icon icon-link"></span></a>允许所有传入的 POP3S</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token number">995</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> NEW,ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> OUTPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--sport</span> <span class="token number">995</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> ESTABLISHED <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="在公共接口上删除专用网络地址"><a aria-hidden="true" tabindex="-1" href="#在公共接口上删除专用网络地址"><span class="icon icon-link"></span></a>在公共接口上删除专用网络地址</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-i</span> eth1 <span class="token parameter variable">-s</span> <span class="token number">192.168</span>.1.0/24 <span class="token parameter variable">-j</span> DROP
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-i</span> eth1 <span class="token parameter variable">-s</span> <span class="token number">10.0</span>.0.0/8 <span class="token parameter variable">-j</span> DROP
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="将所有传出到-facebook-网络"><a aria-hidden="true" tabindex="-1" href="#将所有传出到-facebook-网络"><span class="icon icon-link"></span></a>将所有传出到 Facebook 网络</h3><div class="wrap-body">
<p>获取 Facebook 作为：</p>
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ whois <span class="token parameter variable">-h</span> v4.whois.cymru.com <span class="token string">" -v <span class="token variable"><span class="token variable">$(</span><span class="token function">host</span> facebook.com <span class="token operator">|</span> <span class="token function">grep</span> <span class="token string">"has address"</span> <span class="token operator">|</span> <span class="token function">cut</span> <span class="token parameter variable">-d</span> <span class="token string">" "</span> <span class="token parameter variable">-f4</span><span class="token variable">)</span></span>"</span> <span class="token operator">|</span> <span class="token function">tail</span> <span class="token parameter variable">-n1</span> <span class="token operator">|</span> <span class="token function">awk</span> <span class="token string">'{print $1}'</span>
</span></code></pre>
<p>降低：</p>
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ <span class="token keyword">for</span> <span class="token for-or-select variable">i</span> <span class="token keyword">in</span> <span class="token variable"><span class="token variable">$(</span>whois <span class="token parameter variable">-h</span> whois.radb.net -- <span class="token string">'-i origin AS1273'</span> <span class="token operator">|</span> <span class="token function">grep</span> <span class="token string">"^route:"</span> <span class="token operator">|</span> <span class="token function">cut</span> <span class="token parameter variable">-d</span> <span class="token string">":"</span> <span class="token parameter variable">-f2</span> <span class="token operator">|</span> <span class="token function">sed</span> <span class="token parameter variable">-e</span> <span class="token string">'s/^[ \t]*//'</span> <span class="token operator">|</span> <span class="token function">sort</span> <span class="token parameter variable">-n</span> <span class="token parameter variable">-t</span> <span class="token builtin class-name">.</span> <span class="token parameter variable">-k</span> <span class="token number">1,1</span> <span class="token parameter variable">-k</span> <span class="token number">2,2</span> <span class="token parameter variable">-k</span> <span class="token number">3,3</span> <span class="token parameter variable">-k</span> <span class="token number">4,4</span> <span class="token operator">|</span> <span class="token function">cut</span> <span class="token parameter variable">-d</span> <span class="token string">":"</span> <span class="token parameter variable">-f2</span> <span class="token operator">|</span> <span class="token function">sed</span> <span class="token string">'s/$/;/'</span><span class="token variable">)</span></span> <span class="token punctuation">;</span> <span class="token keyword">do</span>  iptables <span class="token parameter variable">-A</span> OUTPUT <span class="token parameter variable">-s</span> <span class="token string">"<span class="token variable">$i</span>"</span> <span class="token parameter variable">-j</span> REJECTdone
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="记录和丢弃数据包"><a aria-hidden="true" tabindex="-1" href="#记录和丢弃数据包"><span class="icon icon-link"></span></a>记录和丢弃数据包</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-i</span> eth1 <span class="token parameter variable">-s</span> <span class="token number">10.0</span>.0.0/8 <span class="token parameter variable">-j</span> LOG --log-prefix <span class="token string">"IP_SPOOF A: "</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-i</span> eth1 <span class="token parameter variable">-s</span> <span class="token number">10.0</span>.0.0/8 <span class="token parameter variable">-j</span> DROP
</span></code></pre>
<p>默认情况下，所有内容都记录到 <code>/var/log/messages</code> 文件中：</p>
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ <span class="token function">tail</span> <span class="token parameter variable">-f</span> /var/log/messagesgrep <span class="token parameter variable">--color</span> <span class="token string">'IP SPOOF'</span> /var/log/messages
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="记录和丢弃日志条目数量有限的数据包"><a aria-hidden="true" tabindex="-1" href="#记录和丢弃日志条目数量有限的数据包"><span class="icon icon-link"></span></a>记录和丢弃日志条目数量有限的数据包</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-i</span> eth1 <span class="token parameter variable">-s</span> <span class="token number">10.0</span>.0.0/8 <span class="token parameter variable">-m</span> limit <span class="token parameter variable">--limit</span> <span class="token number">5</span>/m --limit-burst <span class="token number">7</span> <span class="token parameter variable">-j</span> LOG --log-prefix <span class="token string">"IP_SPOOF A: "</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-i</span> eth1 <span class="token parameter variable">-s</span> <span class="token number">10.0</span>.0.0/8 <span class="token parameter variable">-j</span> DROP
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="丢弃或接受来自-mac-地址的流量"><a aria-hidden="true" tabindex="-1" href="#丢弃或接受来自-mac-地址的流量"><span class="icon icon-link"></span></a>丢弃或接受来自 Mac 地址的流量</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-m</span> mac --mac-source 00:0F:EA:91:04:08 <span class="token parameter variable">-j</span> DROP
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp --destination-port <span class="token number">22</span> <span class="token parameter variable">-m</span> mac --mac-source 00:0F:EA:91:04:07 <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="阻止或允许-icmp-ping-请求"><a aria-hidden="true" tabindex="-1" href="#阻止或允许-icmp-ping-请求"><span class="icon icon-link"></span></a>阻止或允许 ICMP Ping 请求</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> icmp --icmp-type echo-request <span class="token parameter variable">-j</span> DROP
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-i</span> eth1 <span class="token parameter variable">-p</span> icmp --icmp-type echo-request <span class="token parameter variable">-j</span> DROP
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="使用-multiport-指定多个端口"><a aria-hidden="true" tabindex="-1" href="#使用-multiport-指定多个端口"><span class="icon icon-link"></span></a>使用 multiport 指定多个端口</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-i</span> eth0 <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">-m</span> state <span class="token parameter variable">--state</span> NEW <span class="token parameter variable">-m</span> multiport <span class="token parameter variable">--dports</span> ssh,smtp,http,https <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="使用-random-或-nth-进行负载平衡"><a aria-hidden="true" tabindex="-1" href="#使用-random-或-nth-进行负载平衡"><span class="icon icon-link"></span></a>使用 <code>random*</code> 或 <code>nth*</code> 进行负载平衡</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line"><span class="token assign-left variable">_ips</span><span class="token operator">=</span><span class="token punctuation">(</span><span class="token string">"172.31.250.10"</span> <span class="token string">"172.31.250.11"</span> <span class="token string">"172.31.250.12"</span> <span class="token string">"172.31.250.13"</span><span class="token punctuation">)</span>for <span class="token for-or-select variable">ip</span> <span class="token keyword">in</span> <span class="token string">"<span class="token variable">${_ips<span class="token punctuation">[</span>@<span class="token punctuation">]</span>}</span>"</span> <span class="token punctuation">;</span> <span class="token keyword">do</span>  iptables <span class="token parameter variable">-A</span> PREROUTING <span class="token parameter variable">-i</span> eth0 <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token number">80</span> <span class="token parameter variable">-m</span> state <span class="token parameter variable">--state</span> NEW <span class="token parameter variable">-m</span> nth <span class="token parameter variable">--counter</span> <span class="token number">0</span> <span class="token parameter variable">--every</span> <span class="token number">4</span> <span class="token parameter variable">--packet</span> <span class="token number">0</span> <span class="token punctuation">\</span>    <span class="token parameter variable">-j</span> DNAT --to-destination <span class="token variable">${ip}</span>:80done
</span></code></pre>
<p>or</p>
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line"><span class="token assign-left variable">_ips</span><span class="token operator">=</span><span class="token punctuation">(</span><span class="token string">"172.31.250.10"</span> <span class="token string">"172.31.250.11"</span> <span class="token string">"172.31.250.12"</span> <span class="token string">"172.31.250.13"</span><span class="token punctuation">)</span>for <span class="token for-or-select variable">ip</span> <span class="token keyword">in</span> <span class="token string">"<span class="token variable">${_ips<span class="token punctuation">[</span>@<span class="token punctuation">]</span>}</span>"</span> <span class="token punctuation">;</span> <span class="token keyword">do</span>  iptables <span class="token parameter variable">-A</span> PREROUTING <span class="token parameter variable">-i</span> eth0 <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token number">80</span> <span class="token parameter variable">-m</span> state <span class="token parameter variable">--state</span> NEW <span class="token parameter variable">-m</span> random <span class="token parameter variable">--average</span> <span class="token number">25</span> <span class="token punctuation">\</span>    <span class="token parameter variable">-j</span> DNAT --to-destination <span class="token variable">${ip}</span>:80done
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="使用-limit-和-iplimit-限制连接数"><a aria-hidden="true" tabindex="-1" href="#使用-limit-和-iplimit-限制连接数"><span class="icon icon-link"></span></a>使用 limit 和 <code>iplimit*</code> 限制连接数</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> FORWARD <span class="token parameter variable">-m</span> state <span class="token parameter variable">--state</span> NEW <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">-m</span> multiport <span class="token parameter variable">--dport</span> http,https <span class="token parameter variable">-o</span> eth0 <span class="token parameter variable">-i</span> eth1 <span class="token parameter variable">-m</span> limit <span class="token parameter variable">--limit</span> <span class="token number">20</span>/hour --limit-burst <span class="token number">5</span> <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
<p>or</p>
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">-m</span> state <span class="token parameter variable">--state</span> NEW <span class="token parameter variable">--dport</span> http <span class="token parameter variable">-m</span> iplimit --iplimit-above <span class="token number">5</span> <span class="token parameter variable">-j</span> DROP
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="维护要匹配的最近连接列表"><a aria-hidden="true" tabindex="-1" href="#维护要匹配的最近连接列表"><span class="icon icon-link"></span></a>维护要匹配的最近连接列表</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> FORWARD <span class="token parameter variable">-m</span> recent <span class="token parameter variable">--name</span> portscan <span class="token parameter variable">--rcheck</span> <span class="token parameter variable">--seconds</span> <span class="token number">100</span> <span class="token parameter variable">-j</span> DROPiptables <span class="token parameter variable">-A</span> FORWARD <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">-i</span> eth0 <span class="token parameter variable">--dport</span> <span class="token number">443</span> <span class="token parameter variable">-m</span> recent <span class="token parameter variable">--name</span> portscan <span class="token parameter variable">--set</span> <span class="token parameter variable">-j</span> DROP
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="匹配数据包数据负载中的-string"><a aria-hidden="true" tabindex="-1" href="#匹配数据包数据负载中的-string"><span class="icon icon-link"></span></a>匹配数据包数据负载中的 “string*”</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> FORWARD <span class="token parameter variable">-m</span> string <span class="token parameter variable">--string</span> <span class="token string">'.com'</span> <span class="token parameter variable">-j</span> DROP
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> FORWARD <span class="token parameter variable">-m</span> string <span class="token parameter variable">--string</span> <span class="token string">'.exe'</span> <span class="token parameter variable">-j</span> DROP
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="带有时间的基于时间的规则"><a aria-hidden="true" tabindex="-1" href="#带有时间的基于时间的规则"><span class="icon icon-link"></span></a>带有“时间*”的基于时间的规则</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> FORWARD <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">-m</span> multiport <span class="token parameter variable">--dport</span> http,https <span class="token parameter variable">-o</span> eth0 <span class="token parameter variable">-i</span> eth1 <span class="token parameter variable">-m</span> <span class="token function">time</span> <span class="token parameter variable">--timestart</span> <span class="token number">21</span>:30 <span class="token parameter variable">--timestop</span> <span class="token number">22</span>:30 <span class="token parameter variable">--days</span> Mon,Tue,Wed,Thu,Fri <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="基于-ttl-值的数据包匹配"><a aria-hidden="true" tabindex="-1" href="#基于-ttl-值的数据包匹配"><span class="icon icon-link"></span></a>基于 TTL 值的数据包匹配</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-s</span> <span class="token number">1.2</span>.3.4 <span class="token parameter variable">-m</span> ttl --ttl-lt <span class="token number">40</span> <span class="token parameter variable">-j</span> REJECT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="防止端口扫描"><a aria-hidden="true" tabindex="-1" href="#防止端口扫描"><span class="icon icon-link"></span></a>防止端口扫描</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-N</span> port-scanningiptables <span class="token parameter variable">-A</span> port-scanning <span class="token parameter variable">-p</span> tcp --tcp-flags SYN,ACK,FIN,RST RST <span class="token parameter variable">-m</span> limit <span class="token parameter variable">--limit</span> <span class="token number">1</span>/s --limit-burst <span class="token number">2</span> <span class="token parameter variable">-j</span> RETURNiptables <span class="token parameter variable">-A</span> port-scanning <span class="token parameter variable">-j</span> DROP
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="ssh-暴力破解保护"><a aria-hidden="true" tabindex="-1" href="#ssh-暴力破解保护"><span class="icon icon-link"></span></a>SSH 暴力破解保护</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token function">ssh</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> NEW <span class="token parameter variable">-m</span> recent <span class="token parameter variable">--setiptables</span> <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--dport</span> <span class="token function">ssh</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> NEW <span class="token parameter variable">-m</span> recent <span class="token parameter variable">--update</span> <span class="token parameter variable">--seconds</span> <span class="token number">60</span> <span class="token parameter variable">--hitcount</span> <span class="token number">10</span> <span class="token parameter variable">-j</span> DROP
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="同步泛洪保护"><a aria-hidden="true" tabindex="-1" href="#同步泛洪保护"><span class="icon icon-link"></span></a>同步泛洪保护</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-N</span> syn_floodiptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">--syn</span> <span class="token parameter variable">-j</span> syn_floodiptables <span class="token parameter variable">-A</span> syn_flood <span class="token parameter variable">-m</span> limit <span class="token parameter variable">--limit</span> <span class="token number">1</span>/s --limit-burst <span class="token number">3</span> <span class="token parameter variable">-j</span> RETURN
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> syn_flood <span class="token parameter variable">-j</span> DROPiptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> icmp <span class="token parameter variable">-m</span> limit <span class="token parameter variable">--limit</span>  <span class="token number">1</span>/s --limit-burst <span class="token number">1</span> <span class="token parameter variable">-j</span> ACCEPT
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> icmp <span class="token parameter variable">-m</span> limit <span class="token parameter variable">--limit</span> <span class="token number">1</span>/s --limit-burst <span class="token number">1</span> <span class="token parameter variable">-j</span> LOG --log-prefix PING-DROP:
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> icmp <span class="token parameter variable">-j</span> DROPiptables <span class="token parameter variable">-A</span> OUTPUT <span class="token parameter variable">-p</span> icmp <span class="token parameter variable">-j</span> ACCEPT
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="使用-synproxy-缓解-syn-泛洪"><a aria-hidden="true" tabindex="-1" href="#使用-synproxy-缓解-syn-泛洪"><span class="icon icon-link"></span></a>使用 SYNPROXY 缓解 SYN 泛洪</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-t</span> raw <span class="token parameter variable">-A</span> PREROUTING <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">-m</span> tcp <span class="token parameter variable">--syn</span> <span class="token parameter variable">-j</span> CT <span class="token parameter variable">--notrack</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">-m</span> tcp <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> INVALID,UNTRACKED <span class="token parameter variable">-j</span> SYNPROXY --sack-perm <span class="token parameter variable">--timestamp</span> <span class="token parameter variable">--wscale</span> <span class="token number">7</span> <span class="token parameter variable">--mss</span> <span class="token number">1460</span>
</span><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> INVALID <span class="token parameter variable">-j</span> DROP
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="阻止非-syn-的新数据包"><a aria-hidden="true" tabindex="-1" href="#阻止非-syn-的新数据包"><span class="icon icon-link"></span></a>阻止非 SYN 的新数据包</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp <span class="token operator">!</span> <span class="token parameter variable">--syn</span> <span class="token parameter variable">-m</span> state <span class="token parameter variable">--state</span> NEW <span class="token parameter variable">-j</span> DROP
</span></code></pre>
<p>或</p>
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-t</span> mangle <span class="token parameter variable">-A</span> PREROUTING <span class="token parameter variable">-p</span> tcp <span class="token operator">!</span> <span class="token parameter variable">--syn</span> <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> NEW <span class="token parameter variable">-j</span> DROP
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="强制碎片数据包检查"><a aria-hidden="true" tabindex="-1" href="#强制碎片数据包检查"><span class="icon icon-link"></span></a>强制碎片数据包检查</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-f</span> <span class="token parameter variable">-j</span> DROP
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="xmas-包"><a aria-hidden="true" tabindex="-1" href="#xmas-包"><span class="icon icon-link"></span></a>XMAS 包</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp --tcp-flags ALL ALL <span class="token parameter variable">-j</span> DROP
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="丢弃所有-null-数据包"><a aria-hidden="true" tabindex="-1" href="#丢弃所有-null-数据包"><span class="icon icon-link"></span></a>丢弃所有 NULL 数据包</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-A</span> INPUT <span class="token parameter variable">-p</span> tcp --tcp-flags ALL NONE <span class="token parameter variable">-j</span> DROP
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="阻止不常见的-mss-值"><a aria-hidden="true" tabindex="-1" href="#阻止不常见的-mss-值"><span class="icon icon-link"></span></a>阻止不常见的 MSS 值</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-t</span> mangle <span class="token parameter variable">-A</span> PREROUTING <span class="token parameter variable">-p</span> tcp <span class="token parameter variable">-m</span> conntrack <span class="token parameter variable">--ctstate</span> NEW <span class="token parameter variable">-m</span> tcpmss <span class="token operator">!</span> <span class="token parameter variable">--mss</span> <span class="token number">536</span>:65535 <span class="token parameter variable">-j</span> DROP
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="阻止带有虚假-tcp-标志的数据包"><a aria-hidden="true" tabindex="-1" href="#阻止带有虚假-tcp-标志的数据包"><span class="icon icon-link"></span></a>阻止带有虚假 TCP 标志的数据包</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line">$ iptables <span class="token parameter variable">-t</span> mangle <span class="token parameter variable">-A</span> PREROUTING <span class="token parameter variable">-p</span> tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE <span class="token parameter variable">-j</span> DROP
</span><span class="code-line">$ iptables <span class="token parameter variable">-t</span> mangle <span class="token parameter variable">-A</span> PREROUTING <span class="token parameter variable">-p</span> tcp --tcp-flags FIN,SYN FIN,SYN <span class="token parameter variable">-j</span> DROP
</span><span class="code-line">$ iptables <span class="token parameter variable">-t</span> mangle <span class="token parameter variable">-A</span> PREROUTING <span class="token parameter variable">-p</span> tcp --tcp-flags SYN,RST SYN,RST <span class="token parameter variable">-j</span> DROP
</span><span class="code-line">$ iptables <span class="token parameter variable">-t</span> mangle <span class="token parameter variable">-A</span> PREROUTING <span class="token parameter variable">-p</span> tcp --tcp-flags FIN,RST FIN,RST <span class="token parameter variable">-j</span> DROP
</span><span class="code-line">$ iptables <span class="token parameter variable">-t</span> mangle <span class="token parameter variable">-A</span> PREROUTING <span class="token parameter variable">-p</span> tcp --tcp-flags FIN,ACK FIN <span class="token parameter variable">-j</span> DROP
</span><span class="code-line">$ iptables <span class="token parameter variable">-t</span> mangle <span class="token parameter variable">-A</span> PREROUTING <span class="token parameter variable">-p</span> tcp --tcp-flags ACK,URG URG <span class="token parameter variable">-j</span> DROP
</span><span class="code-line">$ iptables <span class="token parameter variable">-t</span> mangle <span class="token parameter variable">-A</span> PREROUTING <span class="token parameter variable">-p</span> tcp --tcp-flags ACK,FIN FIN <span class="token parameter variable">-j</span> DROP
</span><span class="code-line">$ iptables <span class="token parameter variable">-t</span> mangle <span class="token parameter variable">-A</span> PREROUTING <span class="token parameter variable">-p</span> tcp --tcp-flags ACK,PSH PSH <span class="token parameter variable">-j</span> DROP
</span><span class="code-line">$ iptables <span class="token parameter variable">-t</span> mangle <span class="token parameter variable">-A</span> PREROUTING <span class="token parameter variable">-p</span> tcp --tcp-flags ALL ALL <span class="token parameter variable">-j</span> DROP
</span><span class="code-line">$ iptables <span class="token parameter variable">-t</span> mangle <span class="token parameter variable">-A</span> PREROUTING <span class="token parameter variable">-p</span> tcp --tcp-flags ALL NONE <span class="token parameter variable">-j</span> DROP
</span><span class="code-line">$ iptables <span class="token parameter variable">-t</span> mangle <span class="token parameter variable">-A</span> PREROUTING <span class="token parameter variable">-p</span> tcp --tcp-flags ALL FIN,PSH,URG <span class="token parameter variable">-j</span> DROP
</span><span class="code-line">$ iptables <span class="token parameter variable">-t</span> mangle <span class="token parameter variable">-A</span> PREROUTING <span class="token parameter variable">-p</span> tcp --tcp-flags ALL SYN,FIN,PSH,URG <span class="token parameter variable">-j</span> DROP
</span><span class="code-line">$ iptables <span class="token parameter variable">-t</span> mangle <span class="token parameter variable">-A</span> PREROUTING <span class="token parameter variable">-p</span> tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG <span class="token parameter variable">-j</span> DROP
</span></code></pre>
</div></div></div><div class="wrap h3body-not-exist"><div class="wrap-header h3wrap"><h3 id="阻止来自私有子网的数据包欺骗"><a aria-hidden="true" tabindex="-1" href="#阻止来自私有子网的数据包欺骗"><span class="icon icon-link"></span></a>阻止来自私有子网的数据包（欺骗）</h3><div class="wrap-body">
<pre class="language-bash"><code class="language-bash code-highlight"><span class="code-line"><span class="token assign-left variable">_subnets</span><span class="token operator">=</span><span class="token punctuation">(</span><span class="token string">"224.0.0.0/3"</span> <span class="token string">"169.254.0.0/16"</span> <span class="token string">"172.16.0.0/12"</span> <span class="token string">"192.0.2.0/24"</span> <span class="token string">"192.168.0.0/16"</span> <span class="token string">"10.0.0.0/8"</span> <span class="token string">"0.0.0.0/8"</span> <span class="token string">"240.0.0.0/5"</span><span class="token punctuation">)</span>for <span class="token for-or-select variable">_sub</span> <span class="token keyword">in</span> <span class="token string">"<span class="token variable">${_subnets<span class="token punctuation">[</span>@<span class="token punctuation">]</span>}</span>"</span> <span class="token punctuation">;</span> <span class="token keyword">do</span>  iptables <span class="token parameter variable">-t</span> mangle <span class="token parameter variable">-A</span> PREROUTING <span class="token parameter variable">-s</span> <span class="token string">"<span class="token variable">$_sub</span>"</span> <span class="token parameter variable">-j</span> DROPdoneiptables <span class="token parameter variable">-t</span> mangle <span class="token parameter variable">-A</span> PREROUTING <span class="token parameter variable">-s</span> <span class="token number">127.0</span>.0.0/8 <span class="token operator">!</span> <span class="token parameter variable">-i</span> lo <span class="token parameter variable">-j</span> DROP
</span></code></pre>
</div></div></div></div></div><div class="wrap h2body-not-exist"><div class="wrap-header h2wrap"><h2 id="另见"><a aria-hidden="true" tabindex="-1" href="#另见"><span class="icon icon-link"></span></a>另见</h2><div class="wrap-body">
<ul>
<li><a href="https://dunwu.github.io/linux-tutorial/linux/ops/iptables.html">Iptables 应用</a></li>
<li><a href="https://netfilter.org/">netfilter 官网</a></li>
</ul>
</div></div><div class="h2wrap-body"></div></div></div></div><footer class="footer-wrap"><footer class="max-container">© 2022 Kenny Wang.</footer></footer><script src="..\/data.js?v=1.4.1" defer></script><script src="..\/js/fuse.min.js?v=1.4.1" defer></script><script src="..\/js/main.js?v=1.4.1" defer></script><div id="mysearch"><div class="mysearch-box"><div class="mysearch-input"><div><svg xmlns="http://www.w3.org/2000/svg" height="1em" width="1em" viewBox="0 0 18 18">
  <path fill="currentColor" d="M17.71,16.29 L14.31,12.9 C15.4069846,11.5024547 16.0022094,9.77665502 16,8 C16,3.581722 12.418278,0 8,0 C3.581722,0 0,3.581722 0,8 C0,12.418278 3.581722,16 8,16 C9.77665502,16.0022094 11.5024547,15.4069846 12.9,14.31 L16.29,17.71 C16.4777666,17.8993127 16.7333625,18.0057983 17,18.0057983 C17.2666375,18.0057983 17.5222334,17.8993127 17.71,17.71 C17.8993127,17.5222334 18.0057983,17.2666375 18.0057983,17 C18.0057983,16.7333625 17.8993127,16.4777666 17.71,16.29 Z M2,8 C2,4.6862915 4.6862915,2 8,2 C11.3137085,2 14,4.6862915 14,8 C14,11.3137085 11.3137085,14 8,14 C4.6862915,14 2,11.3137085 2,8 Z"></path>
</svg><input id="mysearch-input" type="search" placeholder="搜索" autocomplete="off"><div class="mysearch-clear"></div></div><button id="mysearch-close" type="button">搜索</button></div><div class="mysearch-result"><div id="mysearch-menu"></div><div id="mysearch-content"></div></div></div></div></body>
</html>
